Date: Mon, 15 Sep 2003 04:15:26 -0700 From: Luigi Rizzo <rizzo@icir.org> To: ipfw@freebsd.org Subject: ipfw2 logging through tcpdump ? Message-ID: <20030915041525.B77950@xorpc.icir.org>
next in thread | raw e-mail | index | archive | help
having recently played a bit with largish ipfw configurations, i would have really liked to have a more flexible logging facility for ipfw. It occurred to me that one way could be to extend the ipfw2 "log" option to optionally pass to a bpf listener a copy of the packets selected by the ipfw rule (maybe with some tag showing the rule they come from) so that one can run a tcpdump on that stream when detailed analysis is required, and have essentially zero overhead in other cases. What do people think ? Implementation should be almost trivial, amounting to creating a fake struct ifnet for ipfw2 (suitably initialized to give it a name and pretend it is up and running and has an address assigned), calling bpfattach() on it, and then implement an ipfw2 instruction which always succeeds and, if there is a listener, passes calls bpf_mtap on the mbuf. Does this make sense ? And, any idea on how to tag the packet with a rule number in a way that tcpdump can filter (yes, i am looking for dirty hacks here...) (and speaking of dirty hacks, of course layer3 packets can be easily prepended with a fake MAC header which includes the matching rule number in the ether src/dst addresses, but this trick won't work for layer2 packets, which we do care about). cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030915041525.B77950>